Since the start of the year, the volume has definitely been turned up on GDPR. I was speaking to customers and partners about GDPR throughout 2016, but in many cases the start of the conversation was explaining the basics to them (which was often met with some shock and concern). Having enlightened a customer on this topic, I was expecting immediate requests for data analysis services, product demos etc. In my mind, this was such a wide-ranging compliance requirement, and May 2018 was looming ever nearer. I was starting to fret on my customers’ behalf and couldn’t understand why they weren’t.
Then it dawned on me: this regulation has been in the making for over seven years. The last few years probably started with the expectation of it being finalised, but that never came to pass. So those working exclusively in the data privacy and governance areas were aware of it, and monitoring the situation, but the wider business was unaware. And crucially, no additional budget was allocated for GDPR compliance in the 2016 fiscal year, because no one expected the draft to be agreed for sure. Organisations starting their fiscal year in January this year were for the first time able to plan budgets with a certainty of when this regulation would come into effect.
Of course, that is essentially how big organisations work. Projects may be interesting, important or critical to the business, but the moment you want to allocate someone’s time to them, the question is asked: which budget is this allocated against? And if the answer is ‘there isn’t one’, then the subject is put on the back burner. I remember a few years ago talking to a customer about why they weren’t masking data in test systems, and the response was ‘we know we should be doing more, but right now there isn’t budget for that’. And that, of course, is the difference. With the headline of potential fines of 4% of global turnover or €20 million Euro, it’s much easier to get a slice of the cake when the budget is being planned.
For the companies that now have budget allocated, a team has been put together, or at least earmarked, that combines IT, Compliance, Legal and Audit. And when they start to size up the sheer scope, it’s clear this is a significant undertaking. The project will look different for every company, varying greatly between industries, countries where they trade, company culture, IT systems used, business processes in place and much more.
In effect, the project looks like a big road map with some significant bridges or tunnels missing (or in some cases whole roads!) that would allow all the necessary journeys to take place. The focus is initially on the biggest gaps: How can we access file system data on shared drives? What about paper copies? Can we give the Right to be Forgotten for these data and process types? It’s interesting being in some of these discussions and seeing common themes and approaches.
I’ll continue to share more as these projects evolve.